"Hello, I'm your system process": How YiBackdoor Becomes Invisible to Windows Defenses
Delete all suspicious registry entries if you don't want to lose your data.
Delete all suspicious registry entries if you don't want to lose your data.
Zscaler ThreatLabz, in its recent report, has revealed details of a new malware family named YiBackdoor, which was first observed in June 2025. Initial analysis showed significant source code overlap with IcedID and Latrodectus loaders, a connection that Zscaler explicitly points to as key to understanding the new sample's potential origin and role in attacks.
The malware is a modular DLL library with a basic set of remote host control functions and an extension mechanism via plugins; its default functionality is limited, but attackers can download additional modules to expand its capabilities.
The program copies itself into a newly created folder with a random name, achieves persistence via the Windows Run registry key, and uses execution via regsvr32.exe pointing to the malicious path – the registry entry name is generated by a pseudo-random algorithm. The primary module then self-deletes, complicating response efforts and forensic analysis. The execution of the malicious logic is influenced by a built-in, encrypted configuration from which the command-and-control (C2) server address is extracted. Communication with the C2 is implemented via HTTP responses containing commands.
YiBackdoor's capabilities include gathering system metadata, taking screenshots, executing shell commands using cmd.exe and PowerShell, as well as downloading and initializing Base64-encrypted plugins. Key commands identified in the control mechanism are listed as: Systeminfo, screen, CMD, PWS, plugin, task. Its code injection technique involves injecting into the svchost.exe process, and its built-in anti-analysis tricks are geared towards detecting virtual machines and sandboxes, reducing the likelihood of triggering during analysis in a protected environment.
Zscaler analysts note a range of similarities with IcedID and Latrodectus: a similar injection method, an identical format and key length for configuration decryption, as well as closely related algorithms for decrypting configuration blocks and plugins. Given these overlaps and the observed architecture, the company's staff assesses with moderate-to-high confidence that the same developers responsible for the previous loaders may be behind YiBackdoor. Furthermore, current deployments are limited, indicating a development or testing stage and suggesting the sample's potential role as a precursor to subsequent exploitation stages, including preparing initial access for ransomware.
The organization emphasizes the importance of monitoring outgoing HTTP requests and controlling registry changes, as well as applying detection rules focused on behavioral signs of injection into svchost.exe and anomalies related to launching regsvr32.exe from random paths – these indicators allow for timely detection of YiBackdoor deployment attempts and help limit attackers' further activity.
